Security apps should be open to scrutiny, said a Black Hat speaker, using Sophos Antivirus as an example

Lack of scrutiny is harming the quality of security tools, according to a researcher presenting at the Black Hat security conference, who demonstrated weaknesses in Sophos’ antivirus software to prove his point.

Tavis Ormandy, who works as a security engineer for Google, said he used Sophos Antivirus for his demonstration simply because it was readily available. He said he intended to demonstrate the principle that security products should be able to stand up to scrutiny.

Weaknesses

“If close inspection of a security product weakens it, then the product is flawed,” Ormandy wrote in the paper (PDF) accompanying his presentation. “The veil of obscurity removes all incentive to improve, which can result in heavy reliance on antiquated ideas and principles.”

Ormandy found, for instance, that the vast majority of Sophos’ antivirus signatures were auto-generated and often referenced irrelevant data, in spite of Sophos’ claim that the signatures were hand-reviewed.

He also claimed that a 64-bit encryption system used by Sophos required the decryption key to be present in the file, making it relatively easy to decrypt.

According to Ormandy, the exploit mitigation feature in the product functioned only under versions of Windows prior to Vista. A pre-execution analysis feature that runs suspect code in an emulator is “substandard”, he wrote.

“Sophos [officials] demonstrate considerable naivety in many topics key to the efficacy of their product,” Ormandy wrote. “Their widespread use of XOR encryption for secrecy, and their poor understanding of rudimentary exploitation concepts like return-to-libc reinforce this. The pseudo-scientific terminology used by Sophos to promote their software masks elementary pattern matching techniques. While their attempt at implementing runtime exploit mitigation should be applauded, their failure to understand the subject area resulted in a substandard product far exceeded by existing published solutions.”

Sophos’ response

Sophos acknowledged that it had been contacted by Ormandy about the flaws identified in the paper and was working on the issues identified.

“Having assessed the findings in Tavis’s report, Sophos can assure customers that their protection is not compromised,” said Sophos senior technology consultant Graham Cluley in a blog post.

Cluley noted that the encryption system in question is used “in a few cases” and is being phased out.

“However it should be clear that this algorithm is not used to secure data that could compromise users’ computers or the customer network,” Cluley wrote. “Furthermore, it’s important to understand that this algorithm is not used in our encryption products which meet global accepted encryption standards (Common criteria, FIPS).”

Regarding a weakness that Ormandy said could be used by attackers to send false signatures to users’ systems, Cluley argued the likelihood of the weakness being exploited was low.

“Sophos is in the process of fixing this weakness in the next release,” Cluley wrote. “Furthermore, if an updating location is configured according to best practices, it is very hard to compromise.”

Regarding questions around the performance of Sophos’ buffer overflow protection and other quality issues, Cluely said the company is always looking to improve its products.

“Naturally Sophos is committed to continually improving performance and protection and regularly participates in independent third party tests,” he wrote.